Two-factor authentication (often shortened to 2FA) or Multi-Factor Authentication (MFA) provides a way of ‘double-checking’ that you really are the person you are claiming to be when you’re using online services, such as banking, email or social media. It is available on most of the major online services.


Why should I use 2FA?

Passwords can be stolen by cyber criminals – perhaps through a data breach (as above). Accounts that have been set up to use 2FA will require an extra check. Even if a criminal knows your password, they won’t be able to access your accounts.

The NCSC recommends that you set up 2FA on your ‘important’ accounts; these will typically be the ‘high value’ accounts that protect things that you really care about, and would cause the most harm to you if the passwords to access these accounts were stolen. You MUST also use it for your key personal email account, as criminals with access to your inbox can use it to reset passwords on your other accounts.

What are the different ‘types’ of 2FA

When 2FA is switched on, you’ll be asked to provide a second factor in order to access your account. There are several types of second factor available:

  • Text messages. Most services tend to offer 2FA over text message by default. During setup, you provide your phone number, and the service will send you a message containing the code to use. Some services can also send a code using voice message if you find this easier. Text messages are not the most secure type of 2FA, but still offer a huge advantage over not using any 2FA. Any two-factor authentication is better than not having it at all.
  • Authenticator Apps on your smart phone (or tablet) are the main alternative to text messages. Google Authenticator and Microsoft Authenticator are examples of this type of app. Once you’ve installed one, you can use the same app when setting up 2FA on any accounts that have this as an option. These apps offer lots of advantages over text messages, such as not needing a mobile signal, or having to wait for a text message to arrive.
  • Some accounts also give you a list of backup codes when you switch on 2FA. When asked for a code you can use one of these, but each code will only work once, so you’ll need to create more when you’ve used them all. Backup codes are really useful if you need to log on without a phone to hand. You will need to store the codes somewhere safe.
Do I have to use 2FA every time I access a service?

No. Once set up, you are often only be asked for it when you’re doing something where it would really matter if it was a cyber-criminal, rather than you. These are usually things like setting up a new payee for your bank account, logging into an account from a new device, or changing your password. Look for the ‘remember me’ option if you don’t share devices.

What if 2FA isn’t available?

The NCSC would like to see 2FA offered on all services which might hold your personal data, spend your money, or play another important role in your life. If 2FA is not available on one of your important accounts, like email, you should at least ensure that it has a strong unique password. You may even want to consider changing services to one that does offer two-factor authentication.

When to use an extra factor

As long as passwords are used for authentication, there will always be a chance that users and administrators will choose machine-guessable passwords and be susceptible to social engineering. Therefore:

  • Organisations should choose Cloud and Internet-connected services that offer a form of multi-factor authentication.
  • All users, including administrators, should use multi-factor authentication when using Cloud and Internet-connected services. This is particularly important when authenticating to services that hold sensitive or private data.
  • Administrators should, wherever possible, be required to use multi-factor authentication.
  • Organisations should consider carefully the use of services which only allow for single-factor authentication.
Additional considerations

The introduction of multi-factor authentication to online services may require your IT helpdesk to offer extra services to support users. If users lose their extra factor, they will need a way of reporting and replacing it. This could be offered directly by the service or via an enterprise portal. You will need to consider how your account reset and multi-factor token replacement processes verify that the user is who they say they are. You will need to ensure that an attacker cannot use these processes to bypass multi-factor authentication.

You will need to consider how administrators can gain access to the service if multi-factor authentication is unavailable. This could be caused by a service configuration or the loss of an authentication token. Accounts such as an emergency or ‘break glass’ account that use a single authentication factor should be the subject of increased protective monitoring so that its misuse can be easily detected.